tdf#105844 package,sfx2: remove checksum infoleak when using AEAD
AEAD provides the verification of the password automatically, by reading
the entire stream the tag at the end will be verified.
The existing attributes manifest:checksum-type/manifest:checksum leak
information about the plain text.
This was mitigated with the addChaffWhenEncryptedStorage() functions
(see commit f57baefbd3c4c5d8e5ec28e8702c91d60ffc5de2) but a better
solution that also works for non-XML streams is to simply omit the
attributes; authenticated encryption provides better verification
without any leak.
* "ChecksumAlgorithm" property can be set to void now to remove the
checksum
* change a bunch of members in EncryptionData, ZipPackage,
ZipPackageStream to optional
* change ZipFile::checkValidPassword() to open the stream and return it
Change-Id: Id95288d0c238c4f9940fc5a185df814e8edcbad3
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/160711
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
diff --git a/offapi/com/sun/star/xml/crypto/CipherID.idl b/offapi/com/sun/star/xml/crypto/CipherID.idl
index c1ecd29..3d9bbc0 100644
--- a/offapi/com/sun/star/xml/crypto/CipherID.idl
+++ b/offapi/com/sun/star/xml/crypto/CipherID.idl
@@ -46,7 +46,7 @@ constants CipherID
@see https://www.w3.org/TR/xmlenc-core1/#sec-AES-GCM
@since LO 24.2
@since LibreOffice 24.2
*/
const long AES_GCM_W3C = 3;
};
diff --git a/package/inc/EncryptionData.hxx b/package/inc/EncryptionData.hxx
index 73408a0..f2d5c0b 100644
--- a/package/inc/EncryptionData.hxx
+++ b/package/inc/EncryptionData.hxx
@@ -22,6 +22,8 @@
#include <com/sun/star/uno/Sequence.hxx>
#include <cppuhelper/weak.hxx>
#include <optional>
class BaseEncryptionData : public cppu::OWeakObject
{
public:
@@ -47,16 +49,20 @@ class EncryptionData final : public BaseEncryptionData
public:
css::uno::Sequence < sal_Int8 > m_aKey;
sal_Int32 m_nEncAlg;
sal_Int32 m_nCheckAlg;
::std::optional<sal_Int32> m_oCheckAlg;
sal_Int32 m_nDerivedKeySize;
sal_Int32 m_nStartKeyGenID;
bool m_bTryWrongSHA1;
EncryptionData(const BaseEncryptionData& aData, const css::uno::Sequence< sal_Int8 >& aKey, sal_Int32 nEncAlg, sal_Int32 nCheckAlg, sal_Int32 nDerivedKeySize, sal_Int32 nStartKeyGenID, bool const bTryWrongSHA1)
EncryptionData(const BaseEncryptionData& aData,
const css::uno::Sequence<sal_Int8>& aKey, sal_Int32 const nEncAlg,
::std::optional<sal_Int32> const oCheckAlg,
sal_Int32 const nDerivedKeySize, sal_Int32 const nStartKeyGenID,
bool const bTryWrongSHA1)
: BaseEncryptionData( aData )
, m_aKey( aKey )
, m_nEncAlg( nEncAlg )
, m_nCheckAlg( nCheckAlg )
, m_oCheckAlg( oCheckAlg )
, m_nDerivedKeySize( nDerivedKeySize )
, m_nStartKeyGenID( nStartKeyGenID )
, m_bTryWrongSHA1(bTryWrongSHA1)
@@ -66,7 +72,7 @@ public:
: BaseEncryptionData( aData )
, m_aKey( aData.m_aKey )
, m_nEncAlg( aData.m_nEncAlg )
, m_nCheckAlg( aData.m_nCheckAlg )
, m_oCheckAlg( aData.m_oCheckAlg )
, m_nDerivedKeySize( aData.m_nDerivedKeySize )
, m_nStartKeyGenID( aData.m_nStartKeyGenID )
, m_bTryWrongSHA1(aData.m_bTryWrongSHA1)
diff --git a/package/inc/ZipFile.hxx b/package/inc/ZipFile.hxx
index f6b1849..2d42ed4 100644
--- a/package/inc/ZipFile.hxx
+++ b/package/inc/ZipFile.hxx
@@ -70,7 +70,9 @@ class ZipFile
const bool bUseBufferedStream = true,
const OUString& aMediaType = OUString() );
bool hasValidPassword ( ZipEntry const & rEntry, const rtl::Reference < EncryptionData > &rData );
css::uno::Reference<css::io::XInputStream> checkValidPassword(
ZipEntry const& rEntry, rtl::Reference<EncryptionData> const& rData,
rtl::Reference<comphelper::RefCountedMutex> const& rMutexHolder);
bool checkSizeAndCRC( const ZipEntry& aEntry );
diff --git a/package/inc/ZipPackage.hxx b/package/inc/ZipPackage.hxx
index 48067f3..5d196fe 100644
--- a/package/inc/ZipPackage.hxx
+++ b/package/inc/ZipPackage.hxx
@@ -78,7 +78,7 @@ class ZipPackage final : public cppu::WeakImplHelper
OUString m_aURL;
sal_Int32 m_nStartKeyGenerationID;
sal_Int32 m_nChecksumDigestID;
::std::optional<sal_Int32> m_oChecksumDigestID;
sal_Int32 m_nCommonEncryptionID;
bool m_bHasEncryptedEntries;
bool m_bHasNonEncryptedEntries;
@@ -124,7 +124,7 @@ public:
sal_Int32 GetStartKeyGenID() const { return m_nStartKeyGenerationID; }
sal_Int32 GetEncAlgID() const { return m_nCommonEncryptionID; }
sal_Int32 GetChecksumAlgID() const { return m_nChecksumDigestID; }
::std::optional<sal_Int32> GetChecksumAlgID() const { return m_oChecksumDigestID; }
sal_Int32 GetDefaultDerivedKeySize() const {
switch (m_nCommonEncryptionID)
{
diff --git a/package/inc/ZipPackageStream.hxx b/package/inc/ZipPackageStream.hxx
index 91beaf2..b39c59e 100644
--- a/package/inc/ZipPackageStream.hxx
+++ b/package/inc/ZipPackageStream.hxx
@@ -29,6 +29,8 @@
#include "EncryptionData.hxx"
#include <optional>
#define PACKAGE_STREAM_NOTSET 0
#define PACKAGE_STREAM_PACKAGEMEMBER 1
#define PACKAGE_STREAM_DETECT 2
@@ -55,7 +57,7 @@ private:
sal_Int32 m_nImportedStartKeyAlgorithm;
sal_Int32 m_nImportedEncryptionAlgorithm;
sal_Int32 m_nImportedChecksumAlgorithm;
::std::optional<sal_Int32> m_oImportedChecksumAlgorithm;
sal_Int32 m_nImportedDerivedKeySize;
sal_uInt8 m_nStreamMode;
@@ -95,7 +97,7 @@ public:
void SetIsEncrypted (bool bNewValue) { m_bIsEncrypted = bNewValue;}
void SetImportedStartKeyAlgorithm( sal_Int32 nAlgorithm ) { m_nImportedStartKeyAlgorithm = nAlgorithm; }
void SetImportedEncryptionAlgorithm( sal_Int32 nAlgorithm ) { m_nImportedEncryptionAlgorithm = nAlgorithm; }
void SetImportedChecksumAlgorithm( sal_Int32 nAlgorithm ) { m_nImportedChecksumAlgorithm = nAlgorithm; }
void SetImportedChecksumAlgorithm(::std::optional<sal_Int32> const& roAlgorithm) { m_oImportedChecksumAlgorithm = roAlgorithm; }
void SetImportedDerivedKeySize( sal_Int32 nSize ) { m_nImportedDerivedKeySize = nSize; }
void SetToBeEncrypted (bool bNewValue)
{
diff --git a/package/source/manifest/ManifestExport.cxx b/package/source/manifest/ManifestExport.cxx
index 9921b1b..aa9e9aa 100644
--- a/package/source/manifest/ManifestExport.cxx
+++ b/package/source/manifest/ManifestExport.cxx
@@ -337,7 +337,7 @@ ManifestExport::ManifestExport( uno::Reference< xml::sax::XDocumentHandler > con
xHandler->ignorableWhitespace ( sWhiteSpace );
xHandler->startElement( ELEMENT_FILE_ENTRY , pAttrList);
if ( pVector && pSalt && pIterationCount && pDigest && pDigestAlg && pEncryptAlg && pStartKeyAlg && pDerivedKeySize )
if (pVector && pSalt && pIterationCount && pEncryptAlg && pStartKeyAlg && pDerivedKeySize)
{
// ==== Encryption Data
rtl::Reference<::comphelper::AttributeList> pNewAttrList = new ::comphelper::AttributeList;
@@ -347,20 +347,23 @@ ManifestExport::ManifestExport( uno::Reference< xml::sax::XDocumentHandler > con
xHandler->ignorableWhitespace ( sWhiteSpace );
// ==== Digest
OUString sChecksumType;
sal_Int32 nDigestAlgID = 0;
*pDigestAlg >>= nDigestAlgID;
if ( nDigestAlgID == xml::crypto::DigestID::SHA256_1K )
sChecksumType = sSHA256_1k_URL;
else if ( nDigestAlgID == xml::crypto::DigestID::SHA1_1K )
sChecksumType = sSHA1_1k_Name;
else
throw uno::RuntimeException( THROW_WHERE "Unexpected digest algorithm is provided!" );
if (pDigest && pDigestAlg && pDigestAlg->hasValue())
{
OUString sChecksumType;
sal_Int32 nDigestAlgID = 0;
*pDigestAlg >>= nDigestAlgID;
if ( nDigestAlgID == xml::crypto::DigestID::SHA256_1K )
sChecksumType = sSHA256_1k_URL;
else if ( nDigestAlgID == xml::crypto::DigestID::SHA1_1K )
sChecksumType = sSHA1_1k_Name;
else
throw uno::RuntimeException( THROW_WHERE "Unexpected digest algorithm is provided!" );
pNewAttrList->AddAttribute ( ATTRIBUTE_CHECKSUM_TYPE, sChecksumType );
*pDigest >>= aSequence;
::comphelper::Base64::encode(aBuffer, aSequence);
pNewAttrList->AddAttribute ( ATTRIBUTE_CHECKSUM, aBuffer.makeStringAndClear() );
pNewAttrList->AddAttribute(ATTRIBUTE_CHECKSUM_TYPE, sChecksumType);
*pDigest >>= aSequence;
::comphelper::Base64::encode(aBuffer, aSequence);
pNewAttrList->AddAttribute(ATTRIBUTE_CHECKSUM, aBuffer.makeStringAndClear());
}
xHandler->startElement( ELEMENT_ENCRYPTION_DATA , pNewAttrList);
diff --git a/package/source/manifest/ManifestImport.cxx b/package/source/manifest/ManifestImport.cxx
index b7aa57f..0458eb9 100644
--- a/package/source/manifest/ManifestImport.cxx
+++ b/package/source/manifest/ManifestImport.cxx
@@ -164,10 +164,10 @@ void ManifestImport::doEncryptionData(StringHashMap &rConvertedAttribs)
} else if ( aString == SHA256_1K_URL ) {
aSequence[PKG_MNFST_DIGESTALG].Name = gsDigestAlgProperty;
aSequence[PKG_MNFST_DIGESTALG].Value <<= xml::crypto::DigestID::SHA256_1K;
} else
bIgnoreEncryptData = true;
}
// note: digest is now *optional* - expected not to be used with AEAD
if ( !bIgnoreEncryptData ) {
if (aSequence[PKG_MNFST_DIGESTALG].Value.hasValue()) {
aString = rConvertedAttribs[ATTRIBUTE_CHECKSUM];
uno::Sequence < sal_Int8 > aDecodeBuffer;
::comphelper::Base64::decode(aDecodeBuffer, aString);
diff --git a/package/source/zipapi/XUnbufferedStream.cxx b/package/source/zipapi/XUnbufferedStream.cxx
index bd2cf4d..350f142 100644
--- a/package/source/zipapi/XUnbufferedStream.cxx
+++ b/package/source/zipapi/XUnbufferedStream.cxx
@@ -272,6 +272,7 @@ sal_Int32 SAL_CALL XUnbufferedStream::readBytes( Sequence< sal_Int8 >& aData, sa
maCompBuffer = m_xCipherContext->convertWithCipherContext( maCompBuffer );
if ( mnZipCurrent == mnZipEnd )
{
// this should throw if AEAD is in use and the tag fails to validate
uno::Sequence< sal_Int8 > aSuffix = m_xCipherContext->finalizeCipherContextAndDispose();
if ( aSuffix.hasElements() )
{
diff --git a/package/source/zipapi/ZipFile.cxx b/package/source/zipapi/ZipFile.cxx
index 1b4b7ec..664cfa7 100644
--- a/package/source/zipapi/ZipFile.cxx
+++ b/package/source/zipapi/ZipFile.cxx
@@ -133,8 +133,10 @@ void ZipFile::setInputStream ( const uno::Reference < XInputStream >& xNewStream
uno::Reference< xml::crypto::XDigestContext > ZipFile::StaticGetDigestContextForChecksum( const uno::Reference< uno::XComponentContext >& xArgContext, const ::rtl::Reference< EncryptionData >& xEncryptionData )
{
assert(xEncryptionData->m_oCheckAlg); // callers checked it already
uno::Reference< xml::crypto::XDigestContext > xDigestContext;
if ( xEncryptionData->m_nCheckAlg == xml::crypto::DigestID::SHA256_1K )
if (*xEncryptionData->m_oCheckAlg == xml::crypto::DigestID::SHA256_1K)
{
uno::Reference< uno::XComponentContext > xContext = xArgContext;
if ( !xContext.is() )
@@ -142,9 +144,11 @@ uno::Reference< xml::crypto::XDigestContext > ZipFile::StaticGetDigestContextFor
uno::Reference< xml::crypto::XNSSInitializer > xDigestContextSupplier = xml::crypto::NSSInitializer::create( xContext );
xDigestContext.set( xDigestContextSupplier->getDigestContext( xEncryptionData->m_nCheckAlg, uno::Sequence< beans::NamedValue >() ), uno::UNO_SET_THROW );
xDigestContext.set(xDigestContextSupplier->getDigestContext(
*xEncryptionData->m_oCheckAlg, uno::Sequence<beans::NamedValue>()),
uno::UNO_SET_THROW);
}
else if ( xEncryptionData->m_nCheckAlg == xml::crypto::DigestID::SHA1_1K )
else if (*xEncryptionData->m_oCheckAlg == xml::crypto::DigestID::SHA1_1K)
{
if (xEncryptionData->m_bTryWrongSHA1)
{
@@ -253,7 +257,7 @@ void ZipFile::StaticFillHeader( const ::rtl::Reference< EncryptionData >& rData,
*(pHeader++) = static_cast< sal_Int8 >(( nEncAlgID >> 24 ) & 0xFF);
// Then the checksum algorithm
sal_Int32 nChecksumAlgID = rData->m_nCheckAlg;
sal_Int32 nChecksumAlgID = rData->m_oCheckAlg ? *rData->m_oCheckAlg : 0;
*(pHeader++) = static_cast< sal_Int8 >(( nChecksumAlgID >> 0 ) & 0xFF);
*(pHeader++) = static_cast< sal_Int8 >(( nChecksumAlgID >> 8 ) & 0xFF);
*(pHeader++) = static_cast< sal_Int8 >(( nChecksumAlgID >> 16 ) & 0xFF);
@@ -411,8 +415,7 @@ void CheckSequence( const uno::Sequence< sal_Int8 >& aSequence )
bool ZipFile::StaticHasValidPassword( const uno::Reference< uno::XComponentContext >& rxContext, const Sequence< sal_Int8 > &aReadBuffer, const ::rtl::Reference< EncryptionData > &rData )
{
if (rData->m_nEncAlg == xml::crypto::CipherID::AES_GCM_W3C)
return true; /*TODO fails because of tag*/
assert(rData->m_nEncAlg != xml::crypto::CipherID::AES_GCM_W3C); // should not be called for AEAD
if ( !rData.is() || !rData->m_aKey.hasElements() )
return false;
@@ -465,12 +468,31 @@ bool ZipFile::StaticHasValidPassword( const uno::Reference< uno::XComponentConte
return bRet;
}
bool ZipFile::hasValidPassword ( ZipEntry const & rEntry, const ::rtl::Reference< EncryptionData >& rData )
uno::Reference<io::XInputStream> ZipFile::checkValidPassword(
ZipEntry const& rEntry, ::rtl::Reference<EncryptionData> const& rData,
rtl::Reference<comphelper::RefCountedMutex> const& rMutex)
{
::osl::MutexGuard aGuard( m_aMutexHolder->GetMutex() );
bool bRet = false;
if ( rData.is() && rData->m_aKey.hasElements() )
if (rData.is() && rData->m_nEncAlg == xml::crypto::CipherID::AES_GCM_W3C)
{
try // the only way to find out: decrypt the whole stream, which will
{ // check the tag
uno::Reference<io::XInputStream> const xRet =
createStreamForZipEntry(rMutex, rEntry, rData, UNBUFF_STREAM_DATA, true);
// currently XBufferedStream reads the whole stream in its ctor (to
// verify the tag) - in case this gets changed, explicitly seek here
uno::Reference<io::XSeekable> const xSeek(xRet, uno::UNO_QUERY_THROW);
xSeek->seek(xSeek->getLength());
xSeek->seek(0);
return xRet;
}
catch (uno::Exception const&)
{
return {};
}
}
else if (rData.is() && rData->m_aKey.hasElements())
{
css::uno::Reference < css::io::XSeekable > xSeek(xStream, UNO_QUERY_THROW);
xSeek->seek( rEntry.nOffset );
@@ -484,10 +506,14 @@ bool ZipFile::hasValidPassword ( ZipEntry const & rEntry, const ::rtl::Reference
xStream->readBytes( aReadBuffer, nSize );
bRet = StaticHasValidPassword( m_xContext, aReadBuffer, rData );
if (StaticHasValidPassword(m_xContext, aReadBuffer, rData))
{
return createStreamForZipEntry(
rMutex, rEntry, rData, UNBUFF_STREAM_DATA, true);
}
}
return bRet;
return {};
}
namespace {
@@ -648,8 +674,30 @@ uno::Reference< XInputStream > ZipFile::StaticGetDataFromRawStream(
// if we have a digest, then this file is an encrypted one and we should
// check if we can decrypt it or not
OSL_ENSURE(rData->m_aDigest.hasElements(), "Can't detect password correctness without digest!");
if (rData->m_aDigest.hasElements())
SAL_WARN_IF(rData->m_nEncAlg != xml::crypto::CipherID::AES_GCM_W3C && !rData->m_aDigest.hasElements(),
"package", "Can't detect password correctness without digest!");
if (rData->m_nEncAlg == xml::crypto::CipherID::AES_GCM_W3C)
{
// skip header
xSeek->seek(n_ConstHeaderSize + rData->m_aInitVector.getLength()
+ rData->m_aSalt.getLength() + rData->m_aDigest.getLength());
try
{ // XUnbufferedStream does not support XSeekable so wrap it
::rtl::Reference<XBufferedStream> const pRet(
new XBufferedStream(new XUnbufferedStream(rMutexHolder, xStream, rData)));
// currently XBufferedStream reads the whole stream in its ctor (to
// verify the tag) - in case this gets changed, explicitly seek here
pRet->seek(pRet->getLength());
pRet->seek(0);
return pRet;
}
catch (uno::Exception const&)
{
throw packages::WrongPasswordException(THROW_WHERE);
}
}
else if (rData->m_aDigest.hasElements())
{
sal_Int32 nSize = sal::static_int_cast<sal_Int32>(xSeek->getLength());
if (nSize > n_ConstDigestLength + 32)
@@ -691,10 +739,15 @@ uno::Reference< XInputStream > ZipFile::getInputStream( ZipEntry& rEntry,
bool bNeedRawStream = rEntry.nMethod == STORED;
// if we have a digest, then this file is an encrypted one and we should
// check if we can decrypt it or not
if ( bIsEncrypted && rData.is() && rData->m_aDigest.hasElements() )
bNeedRawStream = !hasValidPassword ( rEntry, rData );
if (bIsEncrypted && rData.is())
{
uno::Reference<XInputStream> const xRet(checkValidPassword(rEntry, rData, aMutexHolder));
if (xRet.is())
{
return xRet;
}
bNeedRawStream = true;
}
return createStreamForZipEntry ( aMutexHolder,
rEntry,
@@ -725,9 +778,14 @@ uno::Reference< XInputStream > ZipFile::getDataStream( ZipEntry& rEntry,
// if we have a digest, then this file is an encrypted one and we should
// check if we can decrypt it or not
OSL_ENSURE( rData->m_aDigest.hasElements(), "Can't detect password correctness without digest!" );
if ( rData->m_aDigest.hasElements() && !hasValidPassword ( rEntry, rData ) )
throw packages::WrongPasswordException(THROW_WHERE );
SAL_WARN_IF(rData->m_nEncAlg != xml::crypto::CipherID::AES_GCM_W3C && !rData->m_aDigest.hasElements(),
"package", "Can't detect password correctness without digest!");
uno::Reference<XInputStream> const xRet(checkValidPassword(rEntry, rData, aMutexHolder));
if (!xRet.is())
{
throw packages::WrongPasswordException(THROW_WHERE);
}
return xRet;
}
else
bNeedRawStream = ( rEntry.nMethod == STORED );
diff --git a/package/source/zipapi/ZipOutputEntry.cxx b/package/source/zipapi/ZipOutputEntry.cxx
index 86c8a97..9d9c1e9 100644
--- a/package/source/zipapi/ZipOutputEntry.cxx
+++ b/package/source/zipapi/ZipOutputEntry.cxx
@@ -21,6 +21,7 @@
#include <com/sun/star/io/TempFile.hpp>
#include <com/sun/star/packages/zip/ZipConstants.hpp>
#include <com/sun/star/xml/crypto/CipherID.hpp>
#include <osl/diagnose.h>
@@ -60,7 +61,11 @@ ZipOutputEntryBase::ZipOutputEntryBase(
if (m_bEncryptCurrentEntry)
{
m_xCipherContext = ZipFile::StaticGetCipher( m_xContext, pStream->GetEncryptionData(), true );
m_xDigestContext = ZipFile::StaticGetDigestContextForChecksum( m_xContext, pStream->GetEncryptionData() );
if (pStream->GetEncryptionData()->m_oCheckAlg)
{
assert(pStream->GetEncryptionData()->m_nEncAlg != xml::crypto::CipherID::AES_GCM_W3C);
m_xDigestContext = ZipFile::StaticGetDigestContextForChecksum(m_xContext, pStream->GetEncryptionData());
}
}
}
@@ -118,11 +123,11 @@ void ZipOutputEntryBase::processDeflated( const uno::Sequence< sal_Int8 >& defla
if ( nLength > 0 )
{
uno::Sequence< sal_Int8 > aTmpBuffer( deflateBuffer.getConstArray(), nLength );
if ( m_bEncryptCurrentEntry && m_xDigestContext.is() && m_xCipherContext.is() )
if (m_bEncryptCurrentEntry && m_xCipherContext.is())
{
// Need to update our digest before encryption...
sal_Int32 nDiff = n_ConstDigestLength - m_nDigested;
if ( nDiff )
if (m_xDigestContext.is() && nDiff)
{
sal_Int32 nEat = ::std::min( nLength, nDiff );
uno::Sequence< sal_Int8 > aTmpSeq( aTmpBuffer.getConstArray(), nEat );
@@ -146,7 +151,7 @@ void ZipOutputEntryBase::processDeflated( const uno::Sequence< sal_Int8 >& defla
}
}
if ( !(isDeflaterFinished() && m_bEncryptCurrentEntry && m_xDigestContext.is() && m_xCipherContext.is()) )
if (!(isDeflaterFinished() && m_bEncryptCurrentEntry && m_xCipherContext.is()))
return;
// FIXME64: sequence not 64bit safe.
diff --git a/package/source/zippackage/ZipPackage.cxx b/package/source/zippackage/ZipPackage.cxx
index aacb5cd..1bae902 100644
--- a/package/source/zippackage/ZipPackage.cxx
+++ b/package/source/zippackage/ZipPackage.cxx
@@ -138,7 +138,7 @@ class DummyInputStream : public ::cppu::WeakImplHelper< XInputStream >
ZipPackage::ZipPackage ( uno::Reference < XComponentContext > xContext )
: m_aMutexHolder( new comphelper::RefCountedMutex )
, m_nStartKeyGenerationID( xml::crypto::DigestID::SHA1 )
, m_nChecksumDigestID( xml::crypto::DigestID::SHA1_1K )
, m_oChecksumDigestID( xml::crypto::DigestID::SHA1_1K )
, m_nCommonEncryptionID( xml::crypto::CipherID::BLOWFISH_CFB_8 )
, m_bHasEncryptedEntries ( false )
, m_bHasNonEncryptedEntries ( false )
@@ -251,11 +251,16 @@ void ZipPackage::parseManifest()
pStream->SetMediaType ( sMediaType );
pStream->SetFromManifest( true );
if ( pKeyInfo && pVector && pSize && pDigest && pDigestAlg && pEncryptionAlg )
if (pKeyInfo
&& pVector && pSize && pEncryptionAlg
&& ((pEncryptionAlg->has<sal_Int32>()
&& pEncryptionAlg->get<sal_Int32>() == xml::crypto::CipherID::AES_GCM_W3C)
|| (pDigest && pDigestAlg)))
{
uno::Sequence < sal_Int8 > aSequence;
sal_Int64 nSize = 0;
sal_Int32 nDigestAlg = 0, nEncryptionAlg = 0;
::std::optional<sal_Int32> oDigestAlg;
sal_Int32 nEncryptionAlg = 0;
pStream->SetToBeEncrypted ( true );
@@ -265,11 +270,15 @@ void ZipPackage::parseManifest()
*pSize >>= nSize;
pStream->setSize ( nSize );
*pDigest >>= aSequence;
pStream->setDigest ( aSequence );
if (pDigest && pDigestAlg)
{
*pDigest >>= aSequence;
pStream->setDigest(aSequence);
*pDigestAlg >>= nDigestAlg;
pStream->SetImportedChecksumAlgorithm( nDigestAlg );
assert(pDigestAlg->has<sal_Int32>());
oDigestAlg.emplace(pDigestAlg->get<sal_Int32>());
pStream->SetImportedChecksumAlgorithm(oDigestAlg);
}
*pEncryptionAlg >>= nEncryptionAlg;
pStream->SetImportedEncryptionAlgorithm( nEncryptionAlg );
@@ -292,16 +301,23 @@ void ZipPackage::parseManifest()
|| pStream->getName() == "encrypted-package"))
{
m_bHasEncryptedEntries = true;
m_nChecksumDigestID = nDigestAlg;
m_oChecksumDigestID = oDigestAlg;
m_nCommonEncryptionID = nEncryptionAlg;
m_nStartKeyGenerationID = nStartKeyAlg;
}
}
else if ( pSalt && pVector && pCount && pSize && pDigest && pDigestAlg && pEncryptionAlg )
else if (pSalt && pCount
&& pVector && pSize && pEncryptionAlg
&& ((pEncryptionAlg->has<sal_Int32>()
&& pEncryptionAlg->get<sal_Int32>() == xml::crypto::CipherID::AES_GCM_W3C)
|| (pDigest && pDigestAlg)))
{
uno::Sequence < sal_Int8 > aSequence;
sal_Int64 nSize = 0;
sal_Int32 nCount = 0, nDigestAlg = 0, nEncryptionAlg = 0;
::std::optional<sal_Int32> oDigestAlg;
sal_Int32 nEncryptionAlg = 0;
sal_Int32 nCount = 0;
sal_Int32 nDerivedKeySize = 16, nStartKeyAlg = xml::crypto::DigestID::SHA1;
pStream->SetToBeEncrypted ( true );
@@ -318,11 +334,15 @@ void ZipPackage::parseManifest()
*pSize >>= nSize;
pStream->setSize ( nSize );
*pDigest >>= aSequence;
pStream->setDigest ( aSequence );
if (pDigest && pDigestAlg)
{
*pDigest >>= aSequence;
pStream->setDigest(aSequence);
*pDigestAlg >>= nDigestAlg;
pStream->SetImportedChecksumAlgorithm( nDigestAlg );
assert(pDigestAlg->has<sal_Int32>());
oDigestAlg.emplace(pDigestAlg->get<sal_Int32>());
pStream->SetImportedChecksumAlgorithm(oDigestAlg);
}
*pEncryptionAlg >>= nEncryptionAlg;
pStream->SetImportedEncryptionAlgorithm( nEncryptionAlg );
@@ -344,7 +364,7 @@ void ZipPackage::parseManifest()
{
m_bHasEncryptedEntries = true;
m_nStartKeyGenerationID = nStartKeyAlg;
m_nChecksumDigestID = nDigestAlg;
m_oChecksumDigestID = oDigestAlg;
m_nCommonEncryptionID = nEncryptionAlg;
}
}
@@ -1736,13 +1756,18 @@ void SAL_CALL ZipPackage::setPropertyValue( const OUString& aPropertyName, const
else if ( rAlgorithm.Name == "ChecksumAlgorithm" )
{
sal_Int32 nID = 0;
if (!rAlgorithm.Value.hasValue())
{
m_oChecksumDigestID.reset();
continue;
}
if ( !( rAlgorithm.Value >>= nID )
|| ( nID != xml::crypto::DigestID::SHA1_1K && nID != xml::crypto::DigestID::SHA256_1K ) )
{
throw IllegalArgumentException(THROW_WHERE "Unexpected checksum algorithm is provided!", uno::Reference<uno::XInterface>(), 2);
}
m_nChecksumDigestID = nID;
m_oChecksumDigestID.emplace(nID);
}
else
{
@@ -1765,7 +1790,7 @@ void SAL_CALL ZipPackage::setPropertyValue( const OUString& aPropertyName, const
// defaults) with reasonable values
m_nStartKeyGenerationID = 0; // this is unused for PGP
m_nCommonEncryptionID = xml::crypto::CipherID::AES_CBC_W3C_PADDING;
m_nChecksumDigestID = xml::crypto::DigestID::SHA512_1K;
m_oChecksumDigestID.emplace(xml::crypto::DigestID::SHA512_1K);
}
else
throw UnknownPropertyException(aPropertyName);
@@ -1786,7 +1811,14 @@ Any SAL_CALL ZipPackage::getPropertyValue( const OUString& PropertyName )
::comphelper::SequenceAsHashMap aAlgorithms;
aAlgorithms["StartKeyGenerationAlgorithm"] <<= m_nStartKeyGenerationID;
aAlgorithms["EncryptionAlgorithm"] <<= m_nCommonEncryptionID;
aAlgorithms["ChecksumAlgorithm"] <<= m_nChecksumDigestID;
if (m_oChecksumDigestID)
{
aAlgorithms["ChecksumAlgorithm"] <<= *m_oChecksumDigestID;
}
else
{
aAlgorithms["ChecksumAlgorithm"];
}
return Any(aAlgorithms.getAsConstNamedValueList());
}
if ( PropertyName == STORAGE_ENCRYPTION_KEYS_PROPERTY )
diff --git a/package/source/zippackage/ZipPackageStream.cxx b/package/source/zippackage/ZipPackageStream.cxx
index 494d8aa..6ef2241 100644
--- a/package/source/zippackage/ZipPackageStream.cxx
+++ b/package/source/zippackage/ZipPackageStream.cxx
@@ -85,7 +85,6 @@ ZipPackageStream::ZipPackageStream ( ZipPackage & rNewPackage,
, m_bIsEncrypted ( false )
, m_nImportedStartKeyAlgorithm( 0 )
, m_nImportedEncryptionAlgorithm( 0 )
, m_nImportedChecksumAlgorithm( 0 )
, m_nImportedDerivedKeySize( 0 )
, m_nStreamMode( PACKAGE_STREAM_NOTSET )
, m_nMagicalHackPos( 0 )
@@ -208,7 +207,7 @@ sal_Int32 ZipPackageStream::GetIVSize() const
*m_xBaseEncryptionData,
GetEncryptionKey(bugs),
GetEncryptionAlgorithm(),
m_nImportedChecksumAlgorithm ? m_nImportedChecksumAlgorithm : m_rZipPackage.GetChecksumAlgID(),
m_oImportedChecksumAlgorithm ? m_oImportedChecksumAlgorithm : m_rZipPackage.GetChecksumAlgID(),
m_nImportedDerivedKeySize ? m_nImportedDerivedKeySize : m_rZipPackage.GetDefaultDerivedKeySize(),
GetStartKeyGenID(),
bugs != Bugs::None);
@@ -354,6 +353,9 @@ uno::Reference< io::XInputStream > ZipPackageStream::TryToGetRawFromDataStream(
throw io::IOException(THROW_WHERE );
}
// presumably the purpose of this is to transfer encrypted streams between
// storages, needed for password-protected macros in documents, which is
// tragically a feature that exists
bool ZipPackageStream::ParsePackageRawStream()
{
OSL_ENSURE( GetOwnSeekStream().is(), "A stream must be provided!" );
@@ -395,7 +397,14 @@ bool ZipPackageStream::ParsePackageRawStream()
+ xTempEncrData->m_aDigest.getLength()
+ aMediaType.getLength() * sizeof( sal_Unicode );
m_nImportedEncryptionAlgorithm = nEncAlgorithm;
m_nImportedChecksumAlgorithm = nChecksumAlgorithm;
if (nChecksumAlgorithm == 0)
{
m_oImportedChecksumAlgorithm.reset();
}
else
{
m_oImportedChecksumAlgorithm.emplace(nChecksumAlgorithm);
}
m_nImportedDerivedKeySize = nDerivedKeySize;
m_nImportedStartKeyAlgorithm = nStartKeyGenID;
m_nMagicalHackSize = nMagHackSize;
@@ -617,13 +626,20 @@ bool ZipPackageStream::saveChild(
throw uno::RuntimeException();
pPropSet[PKG_MNFST_DIGEST].Name = sDigestProperty;
pPropSet[PKG_MNFST_DIGEST].Value <<= m_xBaseEncryptionData->m_aDigest;
if (xEncData->m_oCheckAlg)
{
pPropSet[PKG_MNFST_DIGEST].Value <<= m_xBaseEncryptionData->m_aDigest;
}
pPropSet[PKG_MNFST_ENCALG].Name = sEncryptionAlgProperty;
pPropSet[PKG_MNFST_ENCALG].Value <<= xEncData->m_nEncAlg;
pPropSet[PKG_MNFST_STARTALG].Name = sStartKeyAlgProperty;
pPropSet[PKG_MNFST_STARTALG].Value <<= xEncData->m_nStartKeyGenID;
pPropSet[PKG_MNFST_DIGESTALG].Name = sDigestAlgProperty;
pPropSet[PKG_MNFST_DIGESTALG].Value <<= xEncData->m_nCheckAlg;
if (xEncData->m_oCheckAlg)
{
assert(xEncData->m_nEncAlg != xml::crypto::CipherID::AES_GCM_W3C);
pPropSet[PKG_MNFST_DIGESTALG].Value <<= *xEncData->m_oCheckAlg;
}
pPropSet[PKG_MNFST_DERKEYSIZE].Name = sDerivedKeySizeProperty;
pPropSet[PKG_MNFST_DERKEYSIZE].Value <<= xEncData->m_nDerivedKeySize;
}
@@ -808,13 +824,20 @@ bool ZipPackageStream::saveChild(
throw uno::RuntimeException();
pPropSet[PKG_MNFST_DIGEST].Name = sDigestProperty;
pPropSet[PKG_MNFST_DIGEST].Value <<= m_xBaseEncryptionData->m_aDigest;
if (xEncData->m_oCheckAlg)
{
pPropSet[PKG_MNFST_DIGEST].Value <<= m_xBaseEncryptionData->m_aDigest;
}
pPropSet[PKG_MNFST_ENCALG].Name = sEncryptionAlgProperty;
pPropSet[PKG_MNFST_ENCALG].Value <<= xEncData->m_nEncAlg;
pPropSet[PKG_MNFST_STARTALG].Name = sStartKeyAlgProperty;
pPropSet[PKG_MNFST_STARTALG].Value <<= xEncData->m_nStartKeyGenID;
pPropSet[PKG_MNFST_DIGESTALG].Name = sDigestAlgProperty;
pPropSet[PKG_MNFST_DIGESTALG].Value <<= xEncData->m_nCheckAlg;
if (xEncData->m_oCheckAlg)
{
assert(xEncData->m_nEncAlg != xml::crypto::CipherID::AES_GCM_W3C);
pPropSet[PKG_MNFST_DIGESTALG].Value <<= *xEncData->m_oCheckAlg;
}
pPropSet[PKG_MNFST_DERKEYSIZE].Name = sDerivedKeySizeProperty;
pPropSet[PKG_MNFST_DERKEYSIZE].Value <<= xEncData->m_nDerivedKeySize;
diff --git a/sfx2/source/doc/objstor.cxx b/sfx2/source/doc/objstor.cxx
index 8a303d1..40449b0 100644
--- a/sfx2/source/doc/objstor.cxx
+++ b/sfx2/source/doc/objstor.cxx
@@ -366,7 +366,7 @@ void SfxObjectShell::SetupStorage( const uno::Reference< embed::XStorage >& xSto
if (UseODFWholesomeEncryption(nDefVersion))
{
pEncryptionAlgs[1].Value <<= xml::crypto::CipherID::AES_GCM_W3C;
pEncryptionAlgs[2].Value <<= xml::crypto::DigestID::SHA256_1K;
pEncryptionAlgs[2].Value.clear();
}
else
{
